There has been no response or patch announced by the providers of vulnerable document management systems.
Security researchers have revealed a series of critical vulnerabilities in document management systems (DMS) affecting four enterprise vendors, which remain unresolved as of now.
In a recent blog post, Tod Beardsley, the director of research at Rapid7, highlighted that these cross-site scripting (XSS) vulnerabilities affect ONLYOFFICE, OpenKM, LogicalDOC, and Mayan.
All analyzed software solutions by Rapid7 comprise on-premises, cloud-based, open source, or freemium DMS offerings.
“In light of the high severity of a stored XSS vulnerability in document management systems—which are often integral to automated workflows—administrators are strongly advised to implement any vendor-provided updates as a priority,” state the researchers.
However, no updates have been issued at the time of this writing.
Examination of found vulnerabilities
The most critical vulnerability affects ONLYOFFICE’s Workspace enterprise application. Cataloged as CVE-2022-47412, it is believed to impact versions ranging from 0 to 12.1.0.1760. This stored XSS vulnerability could potentially be exploited if an attacker manages to save a malicious document within the DMS for indexing.
Once a victim inadvertently saves the document and triggers the XSS vulnerability, an attacker could hijack session cookies, creating new privileged accounts or intercepting browser sessions to gain access to stored documents.
Two other vulnerabilities, CVE-2022-47413 and CVE-2022-47414, impact OpenKM’s open source DMS version 6.3.12. CVE-2022-47413 is another stored XSS vulnerability requiring victims to save malicious documents in the DMS. The other vulnerability can be accessed if an attacker has authenticated access to the OpenKM console, allowing a stored XSS vulnerability to be exploited in the document ‘note’ function.
Additionally, four less severe vulnerabilities have been discovered in LogicalDOC’s open source DMS. Notably, CVE-2022-47416, a stored XSS within an in-app chat system, only affects the Enterprise version of the DMS.
CVE-2022-47415, CVE-2022-47417, and CVE-2022-47418 impact both the LogicalDOC Community Edition and Enterprise, affecting versions 8.7.3 and 8.8.2, respectively. These vulnerabilities were identified in the in-app messaging system, document file name indices, and document version comments, all requiring some level of authentication or access, although Rapid7 notes that guest privileges can often suffice for targeting administrators.
The final and least critical vulnerability is CVE-2022-47419, a tag-based XSS identified in Mayan’s open-source DMS, EDMS Workspace, version 4.3.3.
Lack of Vendor Response
In each case, Rapid7 attempted to reach out to the vendors through email, support channels, and support tickets for further engagement.
“Unfortunately, none of these vendors have responded to Rapid7’s outreach regarding the disclosures, despite coordinating these disclosures with CERT/CC,” Rapid7 stated. “Consequently, these vulnerabilities are being disclosed per Rapid7’s vulnerability disclosure policy.”
Rapid7 confirmed to The Daily Swig that they have not received any communication from these organizations since the disclosures.
Matthew Kienow, a researcher at Rapid7, uncovered the vulnerabilities.
The Daily Swig has reached out to each vendor for comments and will update the article when responses are received.
FOR FURTHER READING DOM XSS vulnerability in Gartner Peer Insights widget patched
Based on an article from ports-wigger.net: https://portswigger.net/daily-swig/radio-silence-from-dms-vendor-quartet-over-xss-zero-days
